Want to get into InfoSec, Looking for advice...

OpenSource

Quick background;

I will be 31 in August. I've been building and working on/with computers since I was 13. My father bought a Gateway PC with Win98'.
Honestly, IT is the only thing I've really ever known or been good at.

Anyway... I have my A+ and a 2 year AS degree in Computer Network Systems (a worthless laughably overpriced piece of paper).
My original intention was to eventually move into a networking based role, because I understand you have to start at the bottom.
But I don't enjoy networking anymore and I haven't for many years now.

I tried the call center gig, and that lasted all of 3-4 months before I wanted to kill myself.
Afterwards, I moved onto working as an IT service contractor for a very large technology company.
I worked my way up through several promotions and several different jobs within the company.

Just short of 3 years later, I hit the ceiling in terms of where I was going to go with that company and honestly I just felt burned out.
So I left and decided to take a break, exploring some non-IT related opportunities.
It's been 5-6 months and that adventure is now over.

I'm unemployed and I'm looking to get back into IT.
While the struggle to find work is just part of the gig, I'm trying to consider my future.
Which brings me to the point of this post...


To the point;

I want to move past break fix roles, and move into InfoSec.
With the world becoming more and more digital on a daily basis, I see InfoSec as being something in need, I can develop into a career and something I may actually enjoy (moving beyond mind numbing repetitive redundant break fix).

But that's about all I know.
Aside from the basics, I have no idea what I'm doing when it comes to an actual InfoSec job.

So my question is this... Where do I start? How do I get into the world of InfoSec?

I would like to avoid more schooling and worthless expensive degrees.
So is something like Security+ the best place to start? Or perhaps another cert (CEH, CCNA Security, etc.)?
Or is there something else? How did you guys get into InfoSec?

Thanks.

volfkhat

I don't know anything about InfoSec, but i Do know that the Security+ curriculum was pretty interesting stuff.
Professor Messer (youtube) and Darril Gibson (book) was a winning combination. (and very affordable).

Personally, i think it's better to have a Foundation in "something else" prior to moving into InfoSec.
You really need a base foundation to build from (Networking, Server admin, Dba, etc).

But i'll let others speak more directly on what it takes....

devilbones

You pick an area of IT, like server engineering and you become the best at it. After you are the best you move into the security world and help other engineers build secure systems and a comprehensive security strategy. You need to be really good at something first. You choose.

dmoore44

There are several niches in InfoSec, so before you head down a cert path, it might be worth it to determine what sort of work you're really interested in and then pursue that cert... To start, there's
- audit/compliance (ISACA's CISA is a good cert here)
- DFIR (several certs available, the SANS offerings being among the best)
- policy (ISACA's CRISC being worthy of pursuit)
- malware analysis/RE (check the SANS GREM cert)
- pentesting (the OSCP is the most rigorous and is gaining prominence, but CEH sadly is still commonly sought)
- vulnerability analysis/vulnerability management (I believe SANS has a cert for this... probably a lot of vendor related certs too)
- security engineering (put the pieces of a security stack together... no cert that I know of)
- threat intel (this is a somewhat immature discipline... usually helps to have prior gov experience, no cert available)

There are several other certs available... the CISSP is probably the most desired cert from a HR perspective, but it's really an all-around/general knowledge cert. Of course, there are certs pushed by vendors, but I've never seen a security related vendor cert listed as a requirement in a job req.

Danielm7

I think you need to take a few steps back and look at your goals first. Why infosec? Just saying you hate break fix and call center jobs just means just about every other job in IT is an option. Honestly, infosec isn't easy to get into, especially if you don't have a somewhat related background / experience and education/certs as well. If you just don't like your past jobs, try looking into ALL the areas of IT and what might interest you other than "there are a lot of jobs available", all that means is there aren't a lot of qualified people, not that companies will hire anyone who applies.

I'd look at all avenues, not just the flavor of the week, databases, cloud, virtualization, linux, etc.

ITSec14

Read Darril Gibsons Security+ book. It gave me a nice well rounded view of security. Security isn't all technical stuff either. You can really do a lot of different things. Just always keep in mind that you have to know what you want to secure and why. Security must support the needs of the business.

dmoore44

ITSec14 wrote: »

Security must support the needs of the business.

A few articles to take note of:
https://techcrunch.com/2016/11/29/every-company-is-a-technology-company-but-most-dont-behave-like-one/
https://www.forbes.com/sites/forbestechcouncil/2017/01/23/why-every-company-is-a-technology-company/#37a2b63257ae

While I understand the point you're making - that security shouldn't be an impediment to the ultimate objective of the company (i.e. make money), the reality of the situation is that the vast majority of companies are now wholly dependent on technology, and that technology needs to be secured... which means that some areas of the business are going to be inconvenienced by security requirements... Why? So that vulnerabilities are patched in a timely manner, so that the network properly segmented, so that access to sensitive data is restricted, so that the least-privilege principle is followed, etc... All of these are basic block & tackle security controls, but organizations still struggle with them because they "don't meet the needs of the business"...

TheFORCE

Infosec has more repetitive tasks than break fix, just fyi. Instead of hardware you are just dealing with software and reports. Infosec can get mind numbingly very fast too. Requires a lot of studying and reading daily just to be somewhat familiar with what's going on out there. Not an easy field. No one ever becomes an expert.

jibtech

I can't speak for anyone else's situation, but I have found a broad range of experience across IT to be invaluable to success in InfoSec.

Without understanding the nuance of each speciality, I would be lost at being effective.

For me, InfoSec is a lot like being a Technical Architect. It just isn't something you go directly into. You have to spend some time everywhere else first.

ITSec14

dmoore44 wrote: »

A few articles to take note of:
https://techcrunch.com/2016/11/29/every-company-is-a-technology-company-but-most-dont-behave-like-one/
https://www.forbes.com/sites/forbestechcouncil/2017/01/23/why-every-company-is-a-technology-company/#37a2b63257ae

While I understand the point you're making - that security shouldn't be an impediment to the ultimate objective of the company (i.e. make money), the reality of the situation is that the vast majority of companies are now wholly dependent on technology, and that technology needs to be secured... which means that some areas of the business are going to be inconvenienced by security requirements... Why? So that vulnerabilities are patched in a timely manner, so that the network properly segmented, so that access to sensitive data is restricted, so that the least-privilege principle is followed, etc... All of these are basic block & tackle security controls, but organizations still struggle with them because they "don't meet the needs of the business"...

Well obviously technology has to be secured lol. What I'm really implying is the process involved with evaluating what security controls make sense for the business. Security doesn't have to be the group that says "No" to everything the business wants to do. Instead, it should be securities job to say, "That's probably not best practice, but here is another solution that will push security and also allow for the business to accomplish it's goals." There are many cases where putting security controls in place really doesn't make sense nor is it cost effective. I've met security folks who just want to secure anything and everything, but that's not realistic.

BillHoo

Unemployement aside, it sounds like you're also bored of your past jobs.

There are organizations that are in great need of IT and IT Security practicioners. They can make use of your knowledge and experience and perhaps even give you a chance to elevate further and... be all that you can be. In return, they offer action and adventure. The ability to travel to far away lands, experience new cultures and meet new people....

At age 31 you are still below the current cutoff age to... enlist in such adventures if you are lean, mean and healthy. It certainly is a lifestyle change and it can also open doors for you when they grant you a security clearance.

Are you up to the challenge?

alias454

@OP here are some links to get started with
https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/
https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/
https://tisiphone.net/2016/02/10/starting-an-infosec-career-the-megamix-chapter-6/
https://tisiphone.net/2016/08/26/starting-an-infosec-career-the-megamix-chapter-7/

I found going to local meetups and security conferences to be extremely helpful. I started going about 3 months ago and met some really cool people who were willing to share what they know. Many of the smaller local cons and meetups have high quality training for cheap/free too.

Twitter has some good resources available for finding infosec jobs look at #InfoSecJobs to see what's out there along with the normal channels like indeed etc.